Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe
Resource
win10v2004-en-20220113
General
-
Target
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe
-
Size
89KB
-
MD5
ea08dc0138c61cde207656ab4f57838c
-
SHA1
6ebfe19ef71c69a550ef0763edf1059b41c252e9
-
SHA256
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09
-
SHA512
a3da85c3ba4a67d498fdf31810c4c90e42c536aec082aa4c4b0faab805720ca12ee2199c1e532319c4855651ea0aa35ffc93a73e04a16c213187e5bda8634ae4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1312 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exepid process 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exedescription pid process Token: SeIncBasePriorityPrivilege 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.execmd.exedescription pid process target process PID 1736 wrote to memory of 1312 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe MediaCenter.exe PID 1736 wrote to memory of 1312 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe MediaCenter.exe PID 1736 wrote to memory of 1312 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe MediaCenter.exe PID 1736 wrote to memory of 1312 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe MediaCenter.exe PID 1736 wrote to memory of 1816 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe cmd.exe PID 1736 wrote to memory of 1816 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe cmd.exe PID 1736 wrote to memory of 1816 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe cmd.exe PID 1736 wrote to memory of 1816 1736 0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe cmd.exe PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 428 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe"C:\Users\Admin\AppData\Local\Temp\0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0be34184ee6610171da9dcd678fedf795921707505d384327419e4b03170ac09.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
84a733a40bf4cbfa6a74418503ecfd9d
SHA11ad6573bd0187d9ac4e6cdc4168c65fbf815fd66
SHA25612f8cd5f0bfb1d4f63a46ee86f05d50c385505d30e5267e5514a6a35555406ee
SHA512eaf74c56f8087d59db8498fd97f04ae892f0e4e0782bab5372ae18963a78ea182447a2f3305aa35074e2aecb1dad6da9387c4d97685c52907d20bec982612c70
-
MD5
84a733a40bf4cbfa6a74418503ecfd9d
SHA11ad6573bd0187d9ac4e6cdc4168c65fbf815fd66
SHA25612f8cd5f0bfb1d4f63a46ee86f05d50c385505d30e5267e5514a6a35555406ee
SHA512eaf74c56f8087d59db8498fd97f04ae892f0e4e0782bab5372ae18963a78ea182447a2f3305aa35074e2aecb1dad6da9387c4d97685c52907d20bec982612c70